Sunday, May 3, 2009

How to run windows powershell scripts

Running Powershell Scripts on local machine is so easy. You just need to change ExecutionPolicy in the Powershell. Powershell Execution Policies are used to prevent unauthorized scripts from running. They provide security for the scripting environment.

In Unix-like machines, we need to set the executable bit for shell scripts to run them (chmod +x <scriptname>)

Windows Powershell Execution Policies


Restricted
- Default execution policy.
- Permits individual commands, but scripts cannot
run.

AllSigned
- Scripts can run.
- Requires a digital signature from a trusted
publisher on all scripts and configuration files,
including scripts that you write on the local
computer.
- Prompts you before running scripts from trusted
publishers.
- Risks running signed, but malicious, scripts.

RemoteSigned
- Scripts can run.
- Requires a digital signature from a trusted
publisher on scripts and configuration files that
are downloaded from the Internet (including
e-mail and instant messaging programs).
- Does not require digital signatures on scripts run
from the local computer.
- Does not prompt you before running scripts from
trusted publishers.
- Risks running signed, but malicious, scripts.

Unrestricted
- Unsigned scripts can run.
- Scripts and configuration files that are downloaded
from the Internet (including Microsoft Outlook,
Outlook Express and Windows Messenger) run after
warning you that the file originated on the Internet.
- Risks running malicious scripts.

For us to learn, we will use the ExecutionPolicy "RemoteSigned" to run Powershell scripts without digital signatures on the local machine.

I have written a script to display first 5 running services. Let's see how to run that script (List_5_Running_Services.ps1)


PS C:\Users\Jagadish\Documents\Scripts> Get-ExecutionPolicy
Restricted

PS C:\Users\Jagadish\Documents\Scripts> Get-Content List_5_Running_Services.ps1
Get-Service | Where-Object { $_.Status -eq "Running" } | Select-Object -First 5

PS C:\Users\Jagadish\Documents\Scripts> .\List_5_Running_Services.ps1
File C:\Users\Jagadish\Documents\Scripts\List_5_Running_Services.ps1 cannot be loaded because the execution of scripts is disabled on this system. Please see "get-help about_signing" for more details.
At line:1 char:14
+ .\Testing.ps1 <<<<
+ CategoryInfo : NotSpecified: (:) [], PSSecurityException
+ FullyQualifiedErrorId : RuntimeException

PS C:\Users\Jagadish\Documents\Scripts>

As you can see in the above code, the current ExecutionPolicy is "Restricted". "Restricted" ExecutionPolicy is the most secure policy, and is the default. It permits individual commands, but does not permit scripts to run.

So to run our scripts without digital signatures, we need to change it to "RemoteSigned" Policy.


PS C:\Users\Jagadish\Documents\Scripts> Get-ExecutionPolicy
Restricted
PS C:\Users\Jagadish\Documents\Scripts> Set-ExecutionPolicy RemoteSigned
Set-ExecutionPolicy : Access to the registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell' is denied.
At line:1 char:20
+ Set-ExecutionPolicy <<<< RemoteSigned
+ CategoryInfo : NotSpecified: (:) [Set-ExecutionPolicy], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetExecutionPolicyCommand

PS C:\Users\Jagadish\Documents\Scripts>

If you get the above error while changing ExecutionPolicy to RemoteSigned, then probably you are running the Windows Powershell without Administrator Privileges. You can easily start Windows Powershell with Administrator Privilege just by right-clicking on the Powershell icon and selecting "Run as Administrator" as shown in below picture

Users running Windows XP or Windows Server 2003, may not get the above error as most users login with administrative privileges. In Windows Vista/7, this changed with the advent of User Account Control. Unless explictly requested, processes started by an Administrator account will run as a standard user and not Administrator.



After starting Windows Powershell with Administrator Privileges, lets try changing the ExecutionPolicy and running the script


PS C:\Users\Jagadish\Documents\Scripts> Get-ExecutionPolicy
Restricted
PS C:\Users\Jagadish\Documents\Scripts> Set-ExecutionPolicy RemoteSigned
PS C:\Users\Jagadish\Documents\Scripts> Get-ExecutionPolicy
RemoteSigned

PS C:\Users\Jagadish\Documents\Scripts> .\List_5_Running_Services.ps1

Status Name DisplayName
------ ---- -----------
Running AntiVirSchedule... Avira AntiVir Scheduler
Running AntiVirService Avira AntiVir Guard
Running Appinfo Application Information
Running AudioEndpointBu... Windows Audio Endpoint Builder
Running Audiosrv Windows Audio

PS C:\Users\Jagadish\Documents\Scripts>


More details can be found in http://www.microsoft.com/technet/scriptcenter/topics/winpsh/manual/run.mspx

Let me know if you have any questions or comments please

2 comments:

  1. It sounds to be quite effective scripts to prevent unauthorized scripts from running. It looks like digital signature plays major role for preventing it from any kind of unsecure or you can say unauthorized scripts.

    ReplyDelete